| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Create node.profile
* Create node-gyp.profile
* refactor npm as redirect
* Create npx.profile
* Create nvm.profile
* Create semver.profile
* refactor yarn as redirect
* collect node.js stack configuration in common profile
* add ~/.nvm to node section
* account for node-gyp python dependency
* read-only ~/.nvm for node.js stack
* blacklist ~/.nvm for node.js stack
* move env var comment cfr. profile.template
* Delete node-gyp.profile
node-gyp is a shell script with a node shebang. We've got that covered via node.profile.
* Delete npx.profile
npx is a shell script with a node shebang. We've got that covered via node.profile.
* Delete semver.profile
semver is a shell script that calls node. We've got that covered via node.profile.
* add node and nvm to new profiles section
|
|\
| |
| | |
New profile for neochat
|
| | |
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to using globbing on mkdir, the current version causes this:
@davidebeatrici commented on 2021-04-23[1]:
> ```
> Error: "${HOME}/.local/share/RogueLegacy*" is an invalid filename: rejected character: "*"
> ```
Added on commit a603d4d39 ("steam: some more games added") / PR #4170.
The wildcard was used because Rogue Legacy apparently looks up multiple
different paths for the config and also for the data[1][2][3]:
1. ~/.config/RogueLegacy
2. ~/.config/RogueLegacyStorageContainer
3. ~/.local/share/RogueLegacy
4. ~/.local/share/RogueLegacyStorageContainer
The ones containing "RogueLegacyStorageContainer" appear to be legacy
paths (i.e.: paths which are only created by older versions of Rogue
Legacy)[2].
So replace all globs with the full paths because:
* The paths are known a priori (unlike, say, `/var/lib/libpcre*`)
* There aren't too many of them
And use only the non-legacy paths on mkdir. Besides mirroring what the
current version of Rogue Legacy does (and avoiding the creation of
unnecessary dirs), this is also done because _if_ the following applies
(i.e.: this was not tested):
* legacy paths take precedence over non-legacy paths
* the first path clobbers the other ones (i.e.: rather than "merge")
* save data exists in a non-legacy path (i.e.: path 3 in this case)
* firejail creates all 4 paths
Then it would make the newly-created and empty path 4 clobber the
non-legacy path 3 and thus make it seem like no save files exist. This
would persist even if steam is run without firejail afterwards, as the
empty directory would still be there. Losing (or appearing to lose)
game saves can be very unfortunate, so create just the non-legacy paths
to avoid confusion.
[1] https://github.com/netblue30/firejail/pull/4170#issuecomment-825405930
[2] https://steamcommunity.com/app/241600/discussions/1/846957366713233279/
[3] https://www.pcgamingwiki.com/wiki/Rogue_Legacy#Game_data
|
|\
| |
| | |
Commons of opengl-game-wrapper.sh
|
| |
| |
| |
| |
| |
| |
| | |
…, gl-117, glaxium, pinball
alienarena is missing in firecfg.config by intention, I didn't tested
any online multiplayer.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add firedragon profile
* Point private-etc to firefox-common.local
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Add to firecfg.config
* Add firedragon to disable-programs.inc
* Correct dir
* Remove private-etc
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
|
|
|
|
| |
* New profile: Quodlibet
* New profile: Quodlibet
|
| |
|
| |
|
|
|
| |
closes #4115
|
|\
| |
| | |
[minor] qcomicbook and pipe-viewer in disable-programs
|
| | |
|
| |
| |
| | |
qcomicbook is the "PawelStolowski" folders
|
|\ \
| | |
| | | |
Create bcompare.profile
|
| | | |
|
| | | |
|
| | | |
|
| |/
|/|
| |
| | |
Left out of firecfg because I think it was buggy.
|
|\ \
| | |
| | | |
Add profile for youtube-dl-gui & some other changes
|
| | | |
|
|/ / |
|
| | |
|
|/ |
|
|\
| |
| | |
Email part (2)
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Update disable-programs.inc
* Create calligragemini.profile
* Update calligra.profile
* Update calligra.profile
* Update firecfg.config
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Update disable-programs.inc
* Update disable-programs.inc
* Update firecfg.config
* Create avidemux.profile
* Update avidemux.profile
|
|\ \
| | |
| | | |
ssh: Refactor, fix bugs & harden
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
That was added on the commit e93fbf3bd ("disable ssh-agent sockets in
disable-programs.inc").
Currently, it's the only ssh-related entry on disable-programs.inc.
Further, it seems that all the other socket blacklists live on
disable-common.inc. Also, even though this socket does not necessarily
allow arbitrary command execution on the local machine (like some paths
on disable-common.inc do), it could still do so for remote systems.
Put it above the "top secret" section, like the terminal sockets are
above the terminal server section.
|
| | | |
|
|\ \ \
| | | |
| | | | |
New profile for CoyIM
|
| | |/
| |/| |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* refactor google-earth{-pro} blacklisting
* fix google-earth-pro.profile
I've included all binaries found in the Arch Linux AUR package to private-bin. But I also added a note on ignoring private-bin because I'm not sure what google-earth is doing on other distro's.
* unbreak google-earth.profile
Not sure why we need grep, ls and sed in private-bin exactly but keeping them around wouldn't hurt too much I guess.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* add new profile: qnapi
* add new profile: qnapi
* Create qnapi.profile
* add qnapi configs
* Update README.md
* Update README.md
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| | |
* new profile: shotwell
* Create shotwell.profile
* new profile: shotwell
* add shotwell blacklists
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* add yarn & reorder
* add node-gyp & yarn files
* Create nodejs-common.profile
* Create yarn.profile
* refactor npm.profile
* add new profile: yarn
* read-only's for npm/yarn
Thanks to the [suggestion](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) from @kmk3.
* ignore read-only's for npm
As [suggested](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) by @kmk3.
* ignore read-only for yarn
As suggested in https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989 by @kmk3.
* remove quiet from nodejs-common.profile
quiet should go into the caller profiles instead
* add quiet to npm.profile
Thanks @rusty-snake for the review.
* re-ordering some options
* re-ordering
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Add profile for npm
* Apply suggestions from code review
* Remove redundant blacklisting of Wayland.
* Remove unnecessary noblacklist lines for nodejs.
* Replace absolute paths to .inc files with filenames.
* Remove unneeded dbus whitelisting.
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Remove empty line
To keep consistent with other profiles, remove the blank line after the header comment.
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Add npm files to add-common-devel
So that our addition of npm paths to disable-programs.inc dose not break IDEs,
we need to unblacklist these same paths in allow-common-devel.inc.
* Remove extra blank line
* Add common whitelist includes to npm profile
* Tighten npm profile
Include disable-exec.inc, but allowing ${HOME}.
* Remove whitelist-common.inc from npm profile
whitelist-common breaks npm, and since we don't know where the user's npm
projects will be, leave the whitelist-common include in a comment with a note
about how to enable it for their setup.
* Fix inverted commands
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
* Fixes for whitelisting
* Add login.defs to npm profile's private-etc
Co-authored-by: Aidan Gauland <aidalgol+git@fastmail.net>
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* new profile: tutanota-desktop
* add tutanota-desktop to firecfg
* blacklist tutanota-desktop files
* Create tutanota-desktop.profile
|
|\ \ |
|
| |\ \
| | | |
| | | | |
Small fixes
|
| | |/ |
|
| |/ |
|
|/ |
|